StarlingX

Not able to source openrc file for wad user after admin password changed and reset

Bug #2039870 reported by Carmen Rata on 2023-10-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Medium	Carmen Rata

Bug Description

Brief Description
-----------------

Not able to source openrc file for a wad user after admin password change and reset back to original password.

Severity
--------

Major

Steps to Reproduce
------------------

Add remote AD details using service parameter on the system:

system service-parameter-add identity ldap-domain1 domain_name=ad.domain.com
system service-parameter-add identity ldap-domain1 ldap_uri=ldaps://ad.domain.com
system service-parameter-add identity ldap-domain1 ldap_access_filter=memberOf=CN=users,DC=ad,DC=domain,DC=com
system service-parameter-add identity ldap-domain1 ldap_search_base=CN=users,DC=ad,DC=domain,DC=com
system service-parameter-add identity ldap-domain1 ldap_default_bind_dn=CN=admin_user,CN=users,DC=ad,DC=domain,DC=com
system service-parameter-add identity ldap-domain1 ldap_default_authtok=<authtoken>
system service-parameter-add identity ldap-domain1 ldap_user_search_base=CN=users,DC=ad,DC=domain,DC=com
system service-parameter-add identity ldap-domain1 ldap_group_search_base=CN=groups,DC=ad,DC=domain,DC=com
system service-parameter-apply identity --section ldap-domain1
Install AD cert on the system:

system certificate-install -m ssl_ca <ad.crt>

[sysadmin@controller-0 ~(keystone_admin)]$ ssh <email address hidden>@controller-0
source openrc file

<email address hidden>@controller-0:~$ source /etc/platform/openrc
[<email address hidden>@controller-0 ~(keystone_admin)]$

Manually change admin passowrd:

[sysadmin@controller-0 ~(keystone_admin)]$ openstack user password set --os-region-name RegionOne --password '<passwd_change1>' --original-password '<passwd_orig>'
[sysadmin@controller-0 ~(keystone_admin)]$ keyring get CGCS admin
<passwd_change1>

[sysadmin@controller-0 ~(keystone_admin)]$ source /etc/platform/openrc
[sysadmin@controller-0 ~(keystone_admin)]$ openstack user password set --os-region-name RegionOne --password '<passwd_change2>' --original-password '<passwd_change1>'
[sysadmin@controller-0 ~(keystone_admin)]$ keyring get CGCS admin
<passwd_change2>

[sysadmin@controller-0 ~(keystone_admin)]$ source /etc/platform/openrc
[sysadmin@controller-0 ~(keystone_admin)]$ openstack user password set --os-region-name RegionOne --password '<passwd_change3>' --original-password '<passwd_change2>'
[sysadmin@controller-0 ~(keystone_admin)]$ keyring get CGCS admin
<passwd_change3>

Reset back to original password.

[sysadmin@controller-0 ~(keystone_admin)]$ source /etc/platform/openrc
[sysadmin@controller-0 ~(keystone_admin)]$ openstack user password set --os-region-name RegionOne --password '<passwd_orig>' --original-password '<passwd_change3>'
[sysadmin@controller-0 ~(keystone_admin)]$ keyring get CGCS admin
<passwd_orig>

Expected Behavior
------------------

<email address hidden>@controller-0:~$ source /etc/platform/openrc
[<email address hidden>@controller-0 ~(keystone_admin)]$

Actual Behavior
----------------

<email address hidden>@controller-0:~$ source /etc/platform/openrc
Not enough privileges to read keyring password.
controller-0:~${code}

Reproducibility
---------------
Reproducible

System Configuration
--------------------

System Type: simplex

Last Pass
---------
New test.

Test Activity
-------------
Automated Run: Regression Testing

See original description

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-20: Fix proposed to upstream (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/upstream/+/898888

Changed in starlingx:
status:	New → In Progress

Ghada Khalil (gkhalil) on 2023-10-20

Changed in starlingx:
assignee:	nobody → Carmen Rata (crata)
importance:	Undecided → Medium
tags:	added: stx.9.0 stx.security

Carmen Rata (crata) on 2023-10-20

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-24: Fix merged to upstream (master)

Reviewed: https://review.opendev.org/c/starlingx/upstream/+/898888
Committed: https://opendev.org/starlingx/upstream/commit/eb557c0450684931b48b6975c80f8ce05f45a3d4
Submitter: "Zuul (22348)"
Branch: master

commit eb557c0450684931b48b6975c80f8ce05f45a3d4
Author: Carmen Rata <email address hidden>
Date: Fri Oct 20 02:56:41 2023 +0000

Set keyring dir group ownership on password change

    This commit changes the group ownership for "/opt/platform/.keyring"
    directory, and its subdirectories and files, from "root" to
    'sys_protected', when keystone password changes for the admin user.
    The 'sys_protected' group ownership is needed to support access
    privileges for OpenLDAP/WAD users and is implemented by the ansible
    bootstrap configuration.
    The group ownership update in this commit is required because after
    a keystone and corresponding keyring password change for the admin
    user, the group ownership of the "/opt/platform/.keyring" directory
    has been reset to "root".
    As a consequence, a ldap user loses permission to access files in
    that directory.
    The group ownership reset is done in the keystone package.
    That is why the fix for this bug is delivered as a patch for the
    keystone package.

    Test Plan:
    PASS: Verify the keystone patch install correctly.
    PASS: Verify the group ownership was applied correctly
    for files in "/opt/platform/.keyring" so are part of the
    "sys_protected" group before changing keystone password for the admin
    user.
    PASS: Verify the group ownership for files in "/opt/platform/.keyring"
    remains "sys_protected" after changing keystone password for the admin
    user.
    PASS: Verify that an openldap user that is part of the "sys_protected"
    group can execute command: "source /etc/platform/openrc" after the
    keystone password has been changed for the admin user.

Closes-Bug: 2039870

Change-Id: I0360d1f13725cca9900b967c32451fc6f7afe761
Signed-off-by: Carmen Rata <email address hidden>

Reviewed:  https://review.opendev.org/c/starlingx/upstream/+/898888
Committed: https://opendev.org/starlingx/upstream/commit/eb557c0450684931b48b6975c80f8ce05f45a3d4
Submitter: "Zuul (22348)"
Branch:    master

commit eb557c0450684931b48b6975c80f8ce05f45a3d4
Author: Carmen Rata <carmen.rata@windriver.com>
Date:   Fri Oct 20 02:56:41 2023 +0000

Set keyring dir group ownership on password change
    
    This commit changes the group ownership for "/opt/platform/.keyring"
    directory, and its subdirectories and files, from "root" to
    'sys_protected', when keystone password changes for the admin user.
    The 'sys_protected' group ownership is needed to support access
    privileges for OpenLDAP/WAD users and is implemented by the ansible
    bootstrap configuration.
    The group ownership update in this commit is required because after
    a keystone and corresponding keyring password change for the admin
    user, the group ownership of the "/opt/platform/.keyring" directory
    has been reset to "root".
    As a consequence, a ldap user loses permission to access files in
    that directory.
    The group ownership reset is done in the keystone package.
    That is why the fix for this bug is delivered as a patch for the
    keystone package.
    
    Test Plan:
    PASS: Verify the keystone patch install correctly.
    PASS: Verify the group ownership was applied correctly
    for files in "/opt/platform/.keyring" so are part of the
    "sys_protected" group before changing keystone password for the admin
    user.
    PASS: Verify the group ownership for files in "/opt/platform/.keyring"
    remains "sys_protected" after changing keystone password for the admin
    user.
    PASS: Verify that an openldap user that is part of the "sys_protected"
    group can execute command: "source /etc/platform/openrc" after the
    keystone password has been changed for the admin user.
    
    Closes-Bug: 2039870
    
    Change-Id: I0360d1f13725cca9900b967c32451fc6f7afe761
    Signed-off-by: Carmen Rata <carmen.rata@windriver.com>

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.